Simply put, using numbers and letters increase the amount of characters that need to be included when attempting to guess a password.

With 12 characters,
if using numbers only: 10 characters (14 hours to crack)
if using lower case letters only: 26 characters
if using upper case and lower case letters: 52 characters
If using numbers, upper case, lower case, and special characters: 83 characters (205 million years)

Making your password 13 characters long would increase the crack time to 20 billion years.

Thus, if you have a 13 character password where someone has to try 83 different character variations for each bit in your password you dramatically increase the amount of time required to crack a password.

If an attacker doesn’t know the possible input combinations for a valid password then they really have no choice but to try all of them but they can still simplify things a bit. If there are mandatory symbol combinations it gets much, much harder.

A lazy brute force attacker might try 0-16 symbols all lower case first, followed by 0-16 symbols all upper case, then 0-16 symbols mixed upper and lower case, followed by 0-16 symbols of just numbers, followed by 0-16 symbols of mixed uppercase, lowercase, numbers, and exclamations.

There are 26 letters in the Latin alphabet, 10 numbers, and plenty of additional symbols such as punctuation marks.

26 lower case symbols, 26 upper case symbols, 10 numeric symbols, and 18 other printable symbols is 80 possible symbols per symbol in a passcode.

If we allow only numbers and limit a passcode length to 4, then we have 10^4 possible input values, or 10,000. That’s chickenshit for any computer to brute force.

If we allow any combination of letters, numbers, and symbols with a minimum passcode length of 6 then a user with a password that contains only 6 lower case letters will require only 308,915,776 guesses at most. A lazy attacker will inevitably breach a few accounts with unsophisticated passwords assuming no lockout policy. Someone will inevitably use ‘passwd’ as their password and this will get brute forced.

If we require our password to have at least one upper case letter, one lower case letter, one number, one of 18 valid symbols (eg, +÷=<>), and a minimum length of 8 characters then the maximum number of attempts before a breach is guaranteed balloons to 1.66E+15, or 1.67 quadrillion. Attempts to find poor passwords using this method just won’t work. Small input fields such as 6 lower case characters will never work so it’s not even worth trying.

Imagine creating a password that is 2 letters long and can only contain the letters “a” and “b”.

How many can you create? Four: “aa”, “ab”, “ba”, “bb”. It’s very easy for a hacker to guess your password if they only need 4 tries.

Now change the rules to allow using “a”, “b” or any number (0-9). How many passwords can you now create? A lot more: “aa”, “a0”, “a1”, “a2”, “b3”, “44”, “8b”, “bb”, etc. (144 to be exact). This is a lot harder to guess.

Now think about how many tries you need to guess if you can use any letter a-Z, and any number for any length of password. It grows so fast that eventually a computer can’t guess it in a billion years (with current tech at least).

A password with letters and numbers in it is harder to brute force because there are more potential solutions to the problem. For example, with a single symbol password that consists of just letters then we have 26 potential passwords. If we change that to letters and numbers then we have 36 potential passwords (26 letters and 10 single digits).

It adds more combinations.

A four character password with only lowercase letters has 26x26x26x26=456,976 possible combinations.

A four character password with lowercase letters or numbers is 36x36x36x36=1,679,616 combinations.

If the attacker knows that a given site doesn’t enforce passwords to have numbers and punctuations, then the attackers may as well just run a first round of brute force to pick up those passwords with only letters. So basically, by enforcing strong passwords a site can protect those who would otherwise picked a weak one, from their own stupidity.

I just use the same password for everything. It is password123! That makes it easy for me to remember my password for everything

Password “strength” comes down to something called **”entropy”**. In this context, entropy means how *un*predictable something is — and it is the basis for strength because a password that is predictable is a password that is easy to guess. The more entropy a password has, the harder it is for an attacker to guess randomly. Entropy is measured in bits. Each bit of entropy roughly doubles the amount of work that the attacker has to do to guess a random password. I won’t go into detail about the math, but in general you get entropy by making random selections. There are two things that are important:

1. The amount of entropy you get from a single random selection depends on how many possible outcomes there are. If you randomly flip a coin there are two possible outcomes (heads or tails), and this is worth one bit of entropy. Choosing one word at random from a dictionary of 8200 words is worth about 13 bits of entropy.
2. Making making multiple random selections adds the entropy of each selection. If you randomly flip a coin twice, it is worth 2 bits of entropy. Chasing two words at random from a dictionary of 8200 words is worth 26 bits of entropy.

To bring this back to your question, randomly creating a password involves making a random selection for each character of the password. Each character of the password is a choice, and the character set determines the number of possible outcomes. So the bigger the character set, the more entropy each choice contributes.

To make a simple example, let’s say we’re talking about a 4-character password, like a bank card PIN. Let’s also say that you can type a password and see the result in 2 seconds, and there’s no limit to the number of times you can try, and that you and your team can work round-the-clock, 24/7. SO:

* If the password is only made up of numbers, there are 10,000 possible passwords, and it would take you on average about 3 hours to guess the password.
* If the password is made up of uppercase and lowercase letters, there are 7.3 *million* possible passwords and it would take you just under 3 *months* to guess it.
* If you add if you add numbers to the letters, there are now over 14.7 *million* possible passwords, and it would take you an average of about 6 *months* (171 days) to guess it.
* If you make the password out of all 92 keyboard characters, there are 71.6 million possible passwords, and it would take you over 2 *years* to guess it.

So just adding digits doesn’t fundamentally change the brute-force attack procedure (which is to try all possibilities until you find the correct password), but adding digits to the character set has almost *doubled* the work that you as the attacker have to do to break the password compared to a password that was only uppercase or lowercase letters.

Of course, an attacker using a computer or computer network can guess millions or billions of passwords per second. This is why passwords need to be long (so that they have multiple random choices) and need to include as many different kinds of characters as possible (so that each choice contributes as much entropy as possible).

Try to guess a one-character-long password that uses only lowercase letters. You have a 1/26 chance (roughly 3.8%), because that’s how many lowercase letters there are (i.e. a-z).

Now add numbers, of which there are ten (i.e. 0-9). Your odds decrease to 1/36 (or ~2.8%) by adding numbers to the pool of letters.

You can continue this exercise with the addition of uppercase letters and symbols, and then ultimately by raising the length of the password from one character to many.

TL;DR: By increasing the number of possible characters, you’re making it harder for each one to be guessed.

So, you have 26 letters. From aaa to zzz you have some 17k passwords (26x26x26).

Add numbers to get 26+10 you get 45k combinations from aaa to 999 (36x36x36).

You can see how adding a bit more complexity changes the combinations quickly. If you add different cases you get 238k. And if the minimum length is 10 chars you get 839 followed by 15 zeros against 141 and 12 zeros from only letters.

It’s harder to try all combinations, that’s why it’s more secure.

A good password could be a proverb’s initials and some numbers and symbols: don’t look a gift horse in the mouth > dlagH1&$tm. Where the uppercase isn’t the first letter (but the sentence’s subject) and the symbols are inserted at some random location, also some letters are exchanged by numbers. Find your own proverb, that one is a short example.

Don’t use the current year or your birthday, that’s what every hacker tries first. Don’t put the numbers at the end. Don’t be obvious. Be creative.

Want a simple number? Think of a place you like, Google when was it opened/inaugurated/established. That’s a good number no one can guess. Like some railroad station, Google when was it created, there you go. Let’s say dlagH1465t$m for something from April 1965. Instead of a proverb use your own phrase: I love the train Station on my town > i<3ttS0m465t (yeah, that’s a heart <3).

Be creative. Those are examples I came up with while writing this, it’s not that hard 😂